Scanners, warnings and checklists

This month's security newsletter covers three brief topics: Information about another commercial security scanner; a warning about a security scanner I previously wrote about; and a useful (and free) Web checklist to help tighten up your Domino/Notes security configurations.

Another commercial scanner
Readers of this newsletter have consistently shown an interest in software tools that help find security vulnerabilities in Domino servers. Until recently, I had trouble finding any such tools, but now they seem to be coming out of the woodwork. My tip for November discussed DominoScan from Next Generation Security Software. Now, I have been contacted by some ex-Lotus employees at Rapid7 about their security tool named NeXpose. This product has the advantage of being a general-purpose security scanner, but is also Domino-aware and looks for vulnerabilities specific to Domino servers. NeXpose is a client/server system, where the client submits scan requests to the server-side software, the server executes the scans, and then reports the results back to the client in real time. NeXpose currently runs on Linux, Windows2000, and WindowsXP.

A warning on DomiLock
On several occasions, I have discussed the free Web-based security scanner named DomiLock. Reader RobE astutely pointed out to me that the format of this scann

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

er puts the user at some risk. To use the scanner, you type the name of your Web site (to be scanned) into the DomiLock Web page. DomiLock produces a nice security report for you, for free. The only problem is that it is possible for DomiLock to be gathering information about scans that it does and be saving the names of vulnerable sites. I have absolutely no evidence that DomiLock is doing this or has any intention of doing so. Just be aware that you are safer to run security scanners on your own machine, rather than tell someone else the names of Web sites you are assessing.

Useful security checklist
Reader LawrenceZ contacted me about his Web site at http://www.rtdc.com. Of course, the Web site tries to sell his consulting services (just like mine does) but he also has some valuable checklists for Domino/Notes administrators and developers. One of the problems with Domino/Notes is that experts tend to have lots of valuable knowledge in their heads, but it is hard for beginners to find the same information. The checklists at Lawrence's site are a good place to start. Especially note the security list at http://www.rtdc.com/CKLS/NotesSec/notessec.htm.

Chuck Connell runs DominoAdministration.com, a service for outsourcing Domino and Notes administration; and DominoSecurity.org, a resource for Domino/Notes security information.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.